Back to Details

ci-cd

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Language Conventions

语言规范

Infer language style from the project:
  • Analyse existing workflows, commit messages, and documentation to detect the project's language variant (US English, UK English, etc.)
  • Match the spelling conventions found in the project (e.g., "optimize" vs "optimise", "customize" vs "customise")
  • Maintain consistency with the project's established language style throughout workflow files and comments
从项目推断语言风格:
  • 分析现有工作流、提交信息和文档,检测项目的语言变体(美式英语、英式英语等)
  • 匹配项目中使用的拼写规范(例如:"optimize" vs "optimise"、"customize" vs "customise")
  • 在工作流文件和注释中始终保持与项目既定语言风格一致

Mode Detection

模式检测

Determine the mode based on context:
  • Create mode: No 
    .github/workflows/
    directory exists, or user explicitly asks to create/add a workflow
  • Audit mode: 
    .github/workflows/*.yml
    files exist, or user explicitly asks to audit/review/fix workflows
根据上下文确定模式:
  • 创建模式:不存在
    .github/workflows/
    目录,或用户明确要求创建/添加工作流
  • 审计模式:存在
    .github/workflows/*.yml
    文件,或用户明确要求审计/审查/修复工作流

Create Mode

创建模式

1. Detect Project Type

1. 检测项目类型

Scan for project indicators:
  • package.json
    → Node.js/JS/TS
  • go.mod
    → Go
  • requirements.txt
    / 
    pyproject.toml
    / 
    setup.py
    → Python
  • Cargo.toml
    → Rust
  • Gemfile
    → Ruby
扫描项目标识:
  • package.json
    → Node.js/JS/TS
  • go.mod
    → Go
  • requirements.txt
    / 
    pyproject.toml
    / 
    setup.py
    → Python
  • Cargo.toml
    → Rust
  • Gemfile
    → Ruby

2. Detect Package Manager (JS/TS projects)

2. 检测包管理器(JS/TS项目)

  • pnpm-lock.yaml
    → pnpm
  • bun.lock
    / 
    bun.lockb
    → bun
  • yarn.lock
    → yarn
  • package-lock.json
    → npm
  • pnpm-lock.yaml
    → pnpm
  • bun.lock
    / 
    bun.lockb
    → bun
  • yarn.lock
    → yarn
  • package-lock.json
    → npm

3. Generate Workflow

3. 生成工作流

Apply all rules from the 
rules/
directory when generating workflows. Read each rule file for detailed requirements and examples.
生成工作流时应用
rules/
目录中的所有规则。查看每个规则文件以获取详细要求和示例。

4. Workflow Template

4. 工作流模板

Adapt this CI template to the detected project type and package manager (replace 
<pm>
with the detected package manager):
yaml
name: CI

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

permissions:
  contents: read

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  ci:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 'lts/*'
          cache: '<pm>'
      - run: <pm> install --frozen-lockfile
      - run: <pm> check
      - run: <pm> test
      - run: <pm> build
根据检测到的项目类型和包管理器调整此CI模板(将
<pm>
替换为检测到的包管理器):
yaml
name: CI

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

permissions:
  contents: read

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  ci:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 'lts/*'
          cache: '<pm>'
      - run: <pm> install --frozen-lockfile
      - run: <pm> check
      - run: <pm> test
      - run: <pm> build

Audit Mode

审计模式

1. Scan Workflows

1. 扫描工作流

Read all files in 
.github/workflows/*.yml
and audit against every rule in the 
rules/
directory.
读取
.github/workflows/*.yml
中的所有文件,并根据
rules/
目录中的每条规则进行审计。

2. Report Format

2. 报告格式

undefined
undefined

GitHub Actions Audit Results

GitHub Actions Audit Results

HIGH Severity

HIGH Severity

  • .github/workflows/ci.yml:15
    - 
    codecov/codecov-action@v4
    → pin to commit SHA
  • .github/workflows/ci.yml:15
    - 
    codecov/codecov-action@v4
    → pin to commit SHA

MEDIUM Severity

MEDIUM Severity

  • .github/workflows/ci.yml
    - Missing concurrency group → add concurrency block
  • .github/workflows/ci.yml
    - Missing concurrency group → add concurrency block

Summary

Summary

  • High: X
  • Medium: Y
  • Low: Z
  • Files scanned: N
undefined
  • High: X
  • Medium: Y
  • Low: Z
  • Files scanned: N
undefined

3. Auto-Fix

3. 自动修复

After reporting, apply fixes using the Edit tool. Look up commit SHAs for pinning using 
gh api
.
生成报告后,使用编辑工具应用修复。通过
gh api
查询提交SHA以完成版本锁定。

Rules

规则

Read individual rule files for detailed checks and examples:
RuleSeverityFile
Action pinningHIGH
rules/action-pinning.md
PermissionsHIGH
rules/permissions.md
ConcurrencyMEDIUM
rules/concurrency.md
Node versionMEDIUM
rules/node-version.md
CachingMEDIUM
rules/caching.md
TriggersLOW
rules/triggers.md
Matrix strategyLOW
rules/matrix.md
查看单个规则文件以获取详细检查项和示例:
规则严重程度文件
Action版本锁定HIGH
rules/action-pinning.md
权限设置HIGH
rules/permissions.md
并发配置MEDIUM
rules/concurrency.md
Node版本MEDIUM
rules/node-version.md
缓存配置MEDIUM
rules/caching.md
触发条件LOW
rules/triggers.md
矩阵策略LOW
rules/matrix.md

Assumptions

预设条件

  • GitHub CLI (
    gh
    ) is available for looking up action commit SHAs
  • The project is hosted on GitHub
  • 已安装GitHub CLI (
    gh
    ),用于查询Action的提交SHA
  • 项目托管在GitHub上